[Dshield] Interesting information about SSH scans

lucy@lucindrea.com lucy at lucindrea.com
Wed Mar 8 20:18:20 GMT 2006


unfortunaly yes , their are servers out their with these passwords (
root123 ).. 99% of the time it's a "test" system or somthing someone is
learning *nix on so they make any old password .. problem is they become
robots themselves and start scanning "real" systems.

for these

> user root, pass: 1qaz2wsx
> user root, pass: 1q2w3e4r5t6y
> user root, pass: 1qaz2wsx3edc

just look at your keyboard .. it's amazing how often a password is cracked
just by counting on the lazyness of end users. any keyboard "pattern" is
easy to figure out .. and words like $3rv3r are cracked just as fast.
this is why i use password generators .. human nature is to find patterns
,  programs dont have this problem.


> I set up some honeypots and also made a few
> modifications to the ssh daemon to print out the
> passwords these scans were trying to use. I noticed a
> reduction in the number of scans, but I still got a
> few in the last few days.
>
> Basically I noticed 2 different scans.
>
> ** Scan 1 - Attempt many passwords against the root
> account and a lot of attempts against common/default
> accounts (with the password being the same as the
> account name). Interesting is that some of the
> passwords for root doesn't look very simple and some
> use keyboard combinations (probably common too).
> Received scans of this type from 7 different IPS (same
> passwords, users, etc).
>
> ** Scan 2 - Attempt a lot of strange passwords against
> the root and admin account. Look bellow to see why I
> think they are strange. Looks like the scanner is
> broken :)
> Received scans of this type from 3 different IPS.
>
>
> *** User, password combinations:
>
> ** Scan 1 (user, password combinations):
> user root, pass: 1qaz2wsx
> user root, pass: 1q2w3e4r5t6y
> user root, pass: 1qaz2wsx3edc4rfv
> user root, pass: qazwsxedcrfv
> user root, pass: webmaster
> user root, pass: michael
> user root, pass: work
> user root, pass: maggie
> user root, pass: print
> user root, pass: 123456
> user root, pass: root1234
> user root, pass: 1qaz2wsx3edc
> user root, pass: qazwsxedc
> user root, pass: qazwsx
> user root, pass: internet
> user root, pass: mobile
> user root, pass: windows
> user root, pass: superman
> user root, pass: 1q2w3e4r
> user root, pass: network
> user root, pass: system
> user root, pass: administrator
> user root, pass: 123qwe
> user root, pass: manager
> user root, pass: redhat
> user root, pass: fedora
> user root, pass: okmnji
> user root, pass: qwerty
> user root, pass: httpd
> user root, pass: linux
> user root, pass: coder
> user root, pass: www
> user root, pass: 123123
> user root, pass: 1234567890
>
> user james, pass: james
> user cvs, pass: cvs
> user tony, pass: tony
> user bill, pass: bill
> user print, pass: print
> user maggie, pass: maggie
> user info, pass: info
> user http, pass: http
> user ftp, pass: ftp
> user dany, pass: dany
> user suse, pass: suse
> user oracle, pass: oracle
> user tomcat, pass: tomcat
> user backup, pass: backup
> user id, pass: id
> user sgi, pass: sgi
> user postgres, pass: postgres
> user flowers, pass: flowers
> user internet, pass: internet
> user linux, pass: linux
> user nokia, pass: nokia
> user bash, pass: bash
> user mysql, pass: mysql
> user webmaster, pass: webmaster
>
>
> ** Scan 2 (user, password combinations):
> These passwors look very strange... Does anyone
> will ever use a password of root1234567890? :)
>
> user root, pass: root12
> user root, pass: root123
> user root, pass: root1234
> user root, pass: root12345
> user root, pass: root123456
> user root, pass: root1234567
> user root, pass: root12345678
> user root, pass: root123456789
> user root, pass: root1234567890
>
> user admin, pass: admin
> user admin, pass: admin1
> user admin, pass: admin12
> user admin, pass: admin123
> user admin, pass: admin1234
> user admin, pass: admin12345
> user admin, pass: admin123456
> user admin, pass: admin1234567
> user admin, pass: admin12345678
> user admin, pass: admin123456789
> user admin, pass: admin1234567890
>
>
> Thanks,
>
> --
> Daniel B. Cid, CISSP
> daniel.cid (at) gmail.com
> http://www.ossec.net/hids/
>
>
>
>
> _______________________________________________________
> Yahoo! Acesso Grátis - Internet rápida e grátis. Instale o discador agora!
> http://br.acesso.yahoo.com
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>


-- 
Time to revamp Kindergarten

1. Sharing is ILLEGAL


More information about the list mailing list